from the this-again? dept

You would think after last year's attention-grabbing lawsuit about the Lower Merion School district using some surreptitious monitoring software to activate webcams and snap photos of kids at home that others would be a lot more careful about their use of such software. After all, the school district ended up having to pay out $610,000 to settle the lawsuit filed against it.

However, in a similar story, a Wisconsin couple has apparently sued Aaron's Inc. for spying on them. Aaron's is a giant "rent-to-own" retailer, offering furniture, electronics and computers on a rent-to-own basis. In this case, the couple had rented a Dell laptop from the company, and later discovered that it had sneaky monitoring software on it which they were unaware of... but which was used to turn on the laptop's webcam and take pictures of the family without them knowing about it.

The only way they found out was that a store manager came to take back the computer, incorrectly believing the couple had not paid their bill (they had). When he showed up, he showed them a photo he had, which was taken from the webcam, which (understandably) freaked out the couple. They asked him how he got the photo, and his response was that he wasn't supposed to show them the photo. Well, that's comforting. Apparently, the product that was used to do this monitoring was hardware based as well, meaning that it couldn't be detected or turned off via software.

The couple and their lawyers are seeking to turn this into a class action for all renters of computers from Aaron's that have this tracking technology. Also, the couple contacted the police, who apparently still have the computer, so I guess there's at least some review of whether or not this is a criminal matter. The AP article (linked in the paragraph above) has a short discussion on whether or not this effort violated either ECPA or the CFAA:

Two attorneys who are experts on the relevant computer privacy laws, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, said it's difficult to tell if either was broken, though both agree the company went too far.

Peter Swire, an Ohio State professor, said using a software "kill switch" is legal because companies can protect themselves from fraud and other crimes.

Further, Swire said the Computer Fraud and Abuse Act "prohibits unauthorized access to my computer over the Internet. The renter here didn't authorize this kind of access."

Fred Cate, an information law professor at Indiana University agrees that consent is required but said the real question might be: "Whose consent?"

It's no secret that both ECPA and CFAA have their problems, but it seems like this might be the type of case that those laws were more designed to cover -- though, that definitely depends on some of the details which haven't come out yet.

Hardware-based??

The real thing ECPA and CFAA are meant to do is to help big business prevent people from doing things they don't like. The only question is: Is Arron's a big business? If so, then they get a free pass. Also, if they are a big business, they probably have a cause of action against the couple for revealing the existence of the software/hardware.

Re:

aaron's

Concerning the recent allegations regarding customer privacy and Aaron’s, Robin Loudermilk, CEO and President of Aaron’s issued the following statement:

"Aaron’s cares about our customers – this is the value we’ve built our business on for more than 55 years. Aaron’s customers can be assured that we’re taking this allegation very seriously. We are conducting a thorough investigation and diligently reaching out to our customers to address any of their concerns."

If you are a customer and have questions regarding your computer privacy at Aaron’s, call 1-888-333-3785.

I'm just curious.
This spying is done via a hardware based system that cannot be detected or turned off by software.
The computer is sold on a rent-to-own basis, so presumably the computer will eventually become the property of the renter.
Is the hardware eventually disabled without letting the owner know, or is this system now a permanent back door into every single computer this place has ever rented?
If I were a lawyer involved in this, I'd like to see records of every system sold with this spy system, and how many of them are still active.

Re: aaron's

And if you call our toll free number with questions about your computer privacy, we'll make sure to take photos of everything you do in your home, so please make sure to always have the laptop open and placed so the camera gets a full view of the room in which you are occupying.

Failure to occupy the same room as your laptop while we are attempting to take pictures of you and/or your family will result in Aaron's sending a store manager to your home to further question your blatant disregard of our right to know what you are doing at all times.

Re:

I think you've hit the nail on the head. I hope that if the class action suit moves forward this investigation takes place. I would think that any post-sale access of the "spying" hardware would constitute a breach of the law.

Re: Re: Re: Re: Rent to pwn

Yeah, yeah... :P~~~~~~~~ to you too.

Actually, it is amazing how much hardware Linux DOES support. Vendors write drivers for Microsoft. Linux has to reverse engineer half the stuff that is supported, and the result is often as good or better than the proprietary solution.

Security boo boo

The kill-switch mentioned above would be the only defense that Aaron's could claim. Of course the laptop would have to be equipped with a mobile card or have access to the internet in the first place to make it transmit the signal. Unless the computer user does a secure wipe of the HDD, they are liable to send over any and all information back to the company.

This opens up an even greater case of privacy that is itself so boiled up in grey area all ready.

Re: aaron's

"We are conducting a thorough investigation and diligently reaching out to our customers to address any of their concerns."

"For instance, Bob, Bob Jones of Airsdale. You have a funny look on your face while reading this announcement. Don't worry, we take the matter very seriously. And don't make that face or it will freeze that way. And maybe you should clean up that pigsty you call a room once in a while eh?"

"And you, Lisa Tennington. You should probably put some pants on. Our surveillance staff take their job very seriously and we don't want to have to fire them for technically looking at naked women at work."

"Rest assured we will not stop reaching out to you, our loyal customers, especially Brenda, Jake, and Marcus. For god's sake Marcus, you need to shave. It's been 3 days and that stubble just does NOT look good on you."

What about the bandwidth costs and the connection that is being 'stolen' by the hardware to transmit the images?

In the current climate, many users internet connections are limited, and I'm not sure about the size/volume of data being transmitted via this hardware spying, I see to possible issues.

First this 'unauthorized access of a computer network' since the users didn't give permission for the pictures to be transmitted over their internet connection. This bogus claim has been used against multiple individuals for various computer related 'crimes' that weren't really crimes, so it should be applicable to Companies as well.... right?

If this data put anyone over their ISP's limit and forced them to pay additional fees, there should be some sort of claim to recoup these costs. also they 'stole' the connection, so there has to be some payment for that (if you can steal a song, you can steal an internet connection, amIright?)

I'm sure this would also all depend on who the laptop was rented to... I'm sure the laptop rented to the 18 year old female college swimsuit model was 'transmitting' a lot more pictures and video than the one rented to the 40 year old overweight balding middle aged man...

Is this a case of outrageous privacy intrusions by greedy companies or a case of greedy lawyers trying to cash in with a class action suit and greatly exaggerating the invasion of privacy claims? There is not enough publicly available information to determine that right now. Discovery about how the system actually works will show how capable it was of invading privacy. The lawsuit takes partial information and guesses at the rest while assuming the worst.

An overview:
Designerware installs their PC Rental Agent software onto a computer intended for rental. This software works along with a CD or USB dongle, and maybe some additional hardware soldered onto the motherboard. The "agent" reports back to a Designerware server every two hours. Designerware gets paid only for rented computers that are in use so that two hour interval is probably only for a simple status report. Any data stored in the server about a computer is made available to Aaron's. According to Aaron's, only regional managers can access this data and change PC Rental Agent settings. The purpose of the agent software is, in case of payment default or theft, to prevent the use of the computer and to aid in recovery. When a renter defaults, an Aaron's manager can change the settings remotely to lockdown the computer until the user enters a special password known to Aaron's.

Hardware based?
The lawsuit says that some device from Designerware, the maker of the PC Rental Agent, was soldered onto the motherboard and/or is part of the Intel chipset. Really, part of the Intel chipset? (ROTFL!) It further explains that a "wand" is needed to deactivate this hardware/software system.
My speculation is that, if there is something soldered into the motherboard, it is put there by Designerware to prevent both Aarons and the end-user from disabling the PC rental agent from running on the computer. I am skeptical because hand soldering a motherboard is both labor intensive and risky. Their business model of $1.95 for setup and 50 cents/month for use does not support such a risky and labor intensive step. Designerware's current product page describes a CD or USB dongle that is needed to unlock the computer. This is the only hardware described! The vast majority of the functionality of this agent is undoubtedly implemented via software.

Can Aaron's disable the system?
I am guessing that the system's normal, default, setting is to only collect status information, that the computer is in use. Aaron's regional managers can change the software settings. One would expect that Aaron's only changes the settings when the renter has stopped paying. What may be true is that Aaron's cannot disable the whole system from reporting to Designerware's servers. I think they do have control over what information, beyond status, is collected. This brings up the question as to how is the PC Rental Agent is removed if a user actually ends up buying the computer. I see two possible methods:
1). the software stays installed, but is disabled remotely by Designerware and afterward does not send any data to their server and no longer requires the dongle.
2). Aaron's must re-install the OS, presumably Windows. This eliminates the software, the need for a dongle, and all user data.
Undoubtedly, a more common step is the user returns the computer without buying it. Here, the F3 key is used to reload Windows with an option to save user data. It is not clear if they mean re-installing Windows or simply rebooting Windows. Allowing a reboot of a locked system seems to be a security loophole allowing the machine to be used until it is locked again.

What information can be collected?
Software with administrative privileges has the potential to monitor and transmit information about everything you do on your computer. The lawsuit claims the Designerware system collects screenshots, webcam images, and keystrokes. It is clear a webcam photo can be taken and transmitted to the server. I think they are just speculating. What Ashton Kelly of Designerware describes is a pop-up window which, deceptively, asks for name, address, and telephone number because the Windows Registry requires it. When this information is entered the webcam takes a photo and all that data is sent to Designerware's central server. I think the plaitiff's lawyers are taking this and extrapolating to a much more intrusive capability. However, it is conceivable that Designerware has allowed a lot of information to be collected in order to recover a stolen computer or one with payments in default. It will be interesting to see these details come out.

Can privacy intrusion be justified?
If the computer was stolen, there should be no question that the owner has the right to collect any information about the user in a stealthy manner. I'm not sure that a default in payment justifies collecting any and all information. I think the information collected from the pop-up window is justified, even if it is done deceptively because it is quite limited in scope. If such limited collection of information is legal then Aaron's collecting such information mistakenly, with no malevolent intent, is also legal. The question, in this case, is why was the PC Rental Agent software still active two months after the Byrd's had purchased the system. Does Aaron's ever move to deactivate this software when a computer is purchased?

Fourth Amendment Violation

How is this clandestine spying on renters legal? The fourth amendment says, "The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, ..." Has respect for the US Constitution gone out of style or something? Spying on users with a clandestine webcam is the precise equivalent of the activities of peeping toms. There have been laws on the books making being a peeping tom illegal, for many decades. Why have the perps not been charged?

Web Cam monitoring

Great article and analysis! Good job!
Sounds like this falls under the area of law with respect to employers and employees. After all, the computer belongs to the rental agency (pseudo employer) with the renters being the pseudo "employees". Not sure how it would play out, I suspect it depends on the terms of the rental agreement and, as you said, other facts.

Re: Fourth Amendment Violation

> How is this clandestine spying on renters legal? The fourth
> amendment says, "The right of the people to be secure in
> their persons, houses, papers and effects, against unreasonable
> searches and seizures, shall not be violated

The 4th Amendment doesn't apply to private individuals or businesses.

This sort of misperception comes up so frequently in discussions of this nature that It really is disheartening how many people have no understanding of the basic fundamentals of our system of government.

Free Aarons Laptop

I just found this article. Not sure if anyone will see this post and/or reply but... my girlfriend has bought 2 computers (one desktop, one laptop). Her desktop is paid off but she just recently acquired the laptop. Any idea how to either determine if the software is on any of the computers or if she can remove the software???